Irish organisations will have to treat the UK as a 'third country' in the event of a 'no deal' Brexit and apply extra legal overheads to comply with GDPR, the Irish Data Protection Commission said.

How would data be controlled in the event of a 'no deal' Brexit? (pic: Charles McQuillan/Getty Images)

The Irish Data Protection Commission has issued an advisory on transfers of personal data to and from the UK in the event of a ‘no deal’ Brexit.

The warning by the Republic of Ireland data watchdog, issued just before Christmas, applies to transfers of data to Northern Ireland as well.

In the event of the UK and the EU not reaching a deal before 29 March – the date on which the UK leaves the EU – the DPC says that Irish organisations will have to put in place a transfer mechanism to be able to continue to lawfully transfer data to the UK.

Failure to do so would place the organisation in breach of the General Data Protection Regulation (GDPR) and attract fines of up to four percent of global turnover for mishandling personal data. The guidance is relevant to other EU countries as it is based on a straightforward interpretation of GDPR.

Under EU data protection law, organisations in EU member states can transfer data freely, but where the transfers are going to ‘third countries’ – defined as countries outside the European Economic Area – additional safeguards are required to ensure that EU data protection standards are observed. Rules on transfers to third countries are set out in Chapter V of the GDPR.

Without a withdrawal agreement, the UK would become a third country on 30 March.

Irish organisations that use UK services will be affected, the DPC said. "If an Irish company currently outsources its payroll to a UK processor, legal safeguards for the personal data transferred to the UK will be required. If an Irish government body uses a cloud provider based in the UK, it will also require similar legal safeguards," it said.

EU law allows for transfers of data to countries which it has judged to have "adequate" data protection regulations. An "adequacy decision" allows data to flow to third countries without further safeguards, but the DPC said such a decision will not be in place for the UK by exit day.

This means that organisations transferring data to UK bodies will have to fall back on standard or model contractual clauses which have been approved by the EU Commission, as some UK companies operating outside the UK already use.

The UK has said that it will permit the free flow of information from the UK to EU countries in the event of a no deal Brexit. For third countries, it will implement a system similar to the EU’s model clauses and recognise as adequate those countries which have been recognised by the EU.

Joseph Carson, chief security scientist and advisory CISO at Thycotic, told SC Media UK that it feels like preparing for GDPR all over again. "However, this time due to the poor decision making within the UK parliament, organisations now have less than three months to prepare a digital data border," he said.

And he added, "Organisations that have done a good job of preparing for EU GDPR, will have made it easier for themselves as this would have surely helped understand what data they store and how it is processed so it might make the short turnaround much easier."

Patrick Grillo, senior director of solutions marketing at Fortinet, told SC, "With a structured Brexit (read deal in hand) it is assumed that there would be a reasonable transition period allowing organisations to smoothly manage their operations to other countries and/or permitting the UK to become an authorised third-party country. Without that transition period, however, the potential for significant disruption is real."

And he asked, why has it taken the DPC so long to address the issue of a no deal Brexit? "With the Irish border issue being such a key point of the Brexit negotiations, it is curious that this aspect of a no-deal Brexit has not been talked about more often," he said.